CVE-2026-7301
9.8 CRITICALSGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads()...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| lmsys | sglang |
Description
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
Source: NVD
QSearch commentary
The ROUTER socket binding to 0.0.0.0 is the failure mode we now reflexively probe in any AI-serving infrastructure assessment. Combine it with a sink that performs unsafe deserialization on incoming bytes and you have unauthenticated RCE against any service that mounted the runtime. This is the canonical AI-platform deployment defect — the framework is internal-trust-boundaried by design, and shipping it on the public interface inherits an unauthenticated deserialization pathway. We flag this class in every AI Security engagement that touches a model-serving runtime.
— QSearch Security Research · 2026-05-19
Our researchers flagged this attack class earlier
In prior coverage, QSearch researchers identified this attack class as a high-likelihood target. This CVE confirms that prediction.
Read the prior coverage →References
Engagement axis
This CVE class is addressed in the QSearch ai-security axis.
Learn more about this axis →Related CVEs
Same vendor
- CVE-2026-7304 — SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor opt... (9.8 CRITICAL)
- CVE-2026-7302 — SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arb... (9.1 CRITICAL)
- CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_temp... (9.8 CRITICAL)
Same CWE
- CVE-2026-41732 — JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly t... (8.1 HIGH)
- CVE-2026-41731 — JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, mea... (8.1 HIGH)
- CVE-2026-40993 — An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata)... (7.3 HIGH)
- CVE-2026-44963 — A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
- CVE-2026-48560 — Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized ... (5.4 MEDIUM)